Thanks Ben LTD (“Ben”, “us” and “we” below), Company Number 12335851, has agreed to provide Services to the Customer (“you”, “your”, “user”) in accordance with the Terms of Service.
This Data Processing Agreement ("DPA"), forms part of the Agreement between Ben and the Customer for the purchase of Services from Ben.
In providing these Services you agree Ben will process Personal Data on your behalf. You hereby confirm that you have all necessary appropriate consents and notices in place to enable lawful transfer of such personal data to us.
From the date that you agree to the Terms of Service, we will process and protect such Personal Data in accordance with the terms of this Data Processing Agreement. For the purposes of these terms, “personal data”, “sub-processors”, “data subject”, “data controller”, “data processor”, “processing”, and “appropriate technical and organisational measures” shall be interpreted in accordance with Data Protection Act 2018 and EU Regulation 2016/679 as amended by Schedule 1 of The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (UK GDPR) (the “Data Protection Legislation”).
This DPA shall be governed by and construed in accordance with governing law and jurisdiction of England and Wales, unless required otherwise by applicable Data Protection Legislation. It is acknowledged that for the purpose of the Data Protection Legislation, Ben is the Data Processor and the Customer is the Data Controller.
The Data Controller confirms that it will, in the use of the Services, comply with the Data Protection Legislation. If the Data Controller's instructions, in the Data Processor's opinion, are or will be in conflict with the Data Protection Legislation, the Data Processor will notify the Data Controller without undue delay.
The Data Processor confirms that it will comply with the Data Protection Legislation.
The Data Processor shall only process the Personal Data in accordance with the Controller's documented instructions unless the processing is required by Applicable Law to which the Processor is subject, in which case the Processor shall to the extent permitted by such law inform the Controller of that legal requirement before processing that Personal Data.
The Data Processor will not access or use such personal data except as necessary to maintain or provide the Services, or as necessary to comply with the law or a binding governmental order.
The Data Processor shall take reasonable steps to ensure the reliability of any employee, contractor or Sub-processor who may have access to the Customer Personal Data, ensuring in each case that access is strictly limited to those individuals who need to know / access the relevant Customer Personal Data, as strictly necessary for the purposes of providing the Services.
You acknowledge and agree that Ben may engage third-party Sub-processors in connection with the provision of the Services.
We will enter into a written agreement with each Sub-processor containing data protection obligations that provide at least the same level of protection for Customer Personal Data as those in this DPA, to the extent applicable to the nature of the service provided by such Sub-processor.
Ben shall be liable for the acts and omissions of its Sub-processors to the same extent Ben shall be held liable under the terms of this DPA, except as otherwise set forth in the Agreement.
Whenever we transfer your personal data out of the EEA, we will ensure adequate measures are in place to protect the Personal Data as required by applicable Data Protection Legislation.
We are responsible for taking reasonable appropriate technical and organisational measures against unauthorised or unlawful processing of the Personal Data or its accidental loss, destruction or damage as is appropriate to the harm that might result. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful processing, accidental loss, destruction, damage or theft of the personal data and having regard to the nature of the personal data which is to be protected.
We will continuously monitor and update our technical and organisational measures. To this end we have implemented the following technical and organisational measures:
The list below describes the specific technical security measures that we have implemented at the time of the Data Processor Agreement:
Without undue delay, we will inform you of any accidental, unauthorised or unlawful processing or any data breach. The information about the data breach will contain:
We will, at your cost, assist you in responding to any request from one of your data subjects and help you comply with your obligations under Applicable Data Protection Legislation with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators.
The Data Processor is directly responsible for all actions taken by employees, in violation of the Data Processor Agreement, relevant legislation or associated instructions.
The data processor is obliged to limit the processing of personal data to necessary personnel, as well as to carry out and maintain training of personnel in the handling and processing of personal data.
All employees subject to the Data Processor, which processes personal data on behalf of the Data Controller, must be subject to confidentiality and confidentiality obligations.
Upon written request from the Data Controller, the Data Processor shall provide the Data Controller or an independent supervisory authority with sufficient documentation to demonstrate compliance with this Data Processor Agreement, as well as the rules of personal data law in force at any given time.
Without prejudice to either party’s right or remedy available to it, this DPA will remain in full force and effect for so long as: the Agreement remains in effect; or the Processor retains any Personal Data related to the Agreement in its possession or control.
The Data Processor's authorisation to process personal data on behalf of the Data Controller lapses upon the termination of the Data Processor Agreement, regardless of the reason for this.
The Data Processor and its Sub processors will return all personal information to the Data
Controller upon termination of the Data Processor Agreement, to the extent that the Data Controller is not already in possession of the personal data. The Data Processor is then obliged to delete all personal information received from the Data Controller. The Data Controller may request the necessary documentation for this.
The Data Processor shall make available to the Data Controller on request all information necessary to demonstrate compliance with this Agreement, and shall allow for and contribute to audits, including inspections, by the Data Controller or an auditor mandated by the Data Controller in relation to the Processing of the Data Controller’s Personal Data by the Data Processor or its Sub-processors. The Data Controller shall bear its own expenses and compensate Ben for the cost with regard to any internal resources required to conduct the audit.
Please note that the following lists may not be exhaustive.
The following types of Personal Data relating to the Company's employees may be shared with Ben in connection with its provision of the Services. Please note that the following lists may not be exhaustive and will depend on scope of services.
The parties are liable in accordance with the general rules of applicable law. Neither party shall be liable for indirect losses and consequential damages, including operating losses, loss of goodwill, loss of savings and income, including expenses to recover lost income, interest loss and loss of data. Neither Party may be held liable for matters commonly referred to as force majeure.
If you have any questions about this DPA, please do not hesitate to contact us at firstname.lastname@example.org